Episode 02–Password Managers: Put All Your Eggs in This Basket

Imagine that you put all your most sensitive information under a single set of credentials. Well, you don’t have to imagine it… I can almost guarantee you already do; almost every account you own can likely be reset if the one service you use daily is compromised–your email account. Let me make the argument for how one change can vastly improve your everyday personal security posture, and even increase your web browser’s ease of use.

What is a password manager? A password manager is much like the “save my password” functionality in Google’s Chrome web browser or Microsoft’s Internet Explorer, but with significantly better security. Debatably the four most popular password managers today are 1Password, Dashlane, KeePassX, and my personal choice: LastPass. Most have a built-in browser extension and allow you to autofill your pages, preventing keyloggers from accessing your data. Additionally, many even automatically change your passwords every month, or at a set interval. This isnt a paid/sponsored/or otherwise endorsed post, but as a premium feature, LastPass will even allow you to securely store other sensitive notes as part of your vault. All have differing benefits, but the one constant is great password security!

For starters, let’s get a baseline.

Read these next few lines, and be honest with yourself, does it sound accurate? You care that your banking, credit cards, email conversation, and personal information across all services remain confidential. You also have a password that is less than 12 characters and contains words you could find in an English dictionary, even if they are maybe malformed by a letter into a number, or character into a special character (i -> !). Even more flooring, according to a survey by the infosec company Avast, if you belong to the larger 88% of Americans you know this isn’t a great idea, but because of the inconvenience, you can’t be bothered to do anything about it.

The fact of the matter is that while most people will do a whole lot to keep their money, family, and privacy from being compromised, but they draw the line at password security, and the reason is primarily a lack of convenience. But it is honestly unreasonable for someone to log into every account and manually change their password once a month, and then even more unreasonable to think they’d then remember it.

Before you continue on, please do two things. First, go visit the following site to find out if/when your email has shown up in a recently reported database breach: https://haveibeenpwned.com/. Then, visit this site to see how long it would take a normal desktop computer to crack your password and compare the timeframes: https://howsecureismypassword.net/. Consider that is a bottom end, most real password crackers that attackers use are custom built specifically for cracking and are hundreds if not thousands of times faster than a standard computer.

*Both sites are run by security experts, and the later’s code is opensource.

But you’re still telling me to put all my sensitive information behind just one password?

Yes. Unfortunately, for the general majority of people, myself absolutely included, remembering even tens of different passwords is impossible. Fortunately, password managers allow us to mitigate all but one of our weak spots. Compromise of a master password is something we can reduce the likelihood of, but ultimately the one point of weakness in this architecture.

The greater vulnerability is the one we can mitigate with this strategy. That being the use of identical passwords on every service. Supporting this line of thought, using a different password on every service takes hundreds of possible points of failure down to one; your password manager. By using a password manager we can create a different password, which is virtually uncrackable with modern computing technology, for every service we access. Instead of the password, “MyPasswordSux123,” on every account because we can’t remember more than a one or two, we can now easily have longer random strings such as, “6je7%%R8q&bc4FI22j&X^kYdq”, on each service and a single secure master password which we can also improve, as we don’t have to remember as many variations. Even better, our password manager can automatically update our passwords on a set interval.

Okay, but isn’t a password manager a high-value target then?

Of course it is, and far more than any other service, but those who develop these applications inherently care more about security than Joe’s pizza delivery service down the street. Let’s quickly discuss how these sites protect themselves, and derivatively, you.

Password managers don’t store the key for your data. Ultimately, you encrypt your data client-side before you send it over the network, and then the encrypted data is sent to you upon request and you decrypt it client-side. This means that if an employee decides to compromise their site or they are somehow hacked, the password manager provides the same data to the attacker that it would to you upon request, but not the key. They don’t even have the key in any hashed form.

But we still need to authenticate to the server in order to get the vault right? yes, and we can effectively prove our identity through a process that is very similar to salting. My password manager of choice (LastPass) does this by appending my email to my master password and hashing the result, resulting in completely destroying the success of a dictionary attack and forcing the much slower brute force operation on a key length often higher than 50. At the low-end, the math works out to 95 chars (printable ASCII) to the 50th power, ie: 95^50 or 7.6944975e+98 possible combinations.

That’s the quick and dirty version. For more information you can check out this video from computerphile: https://www.youtube.com/watch?v=w68BBPDAWr8, or dig around on the ol’ interwebs a bit–there is plenty of revolving research out there. The best security is logically simple, and therefore the processes are often easy to conceptualize.

PW Managers over Browser-Based Saving Functions

Unfortunately, even today, many browsers will save your passwords, but they save them locally and unencrypted. If someone compromises your computer with even a basic piece of malware, they can grab all your credentials and easily pivot. Password managers don’t save anything locally and only saves highly-encrypted information to the server, so a local compromise gives an attacker nothing. Additionally, compromise in the case of a keylogger is somewhat irrelevant because the password manager auto-fills pages by the request, making phishing through a key-logger very difficult.

Key Takeaway (TL;DR) and Conclusion

Ultimately, while there may be highly specific situations where you don’t want to use a password manager, in general every-day use of technology, password managers provide an enormous benefit through reduction of attack surface, and better security at the border. Creating a good master password is still vitally important, but most security researchers will advocate for password managers, and a majority use one themselves.